Wiki source code of ACMP Intune Connector

Last modified by Sabrina V. on 2024/10/23 06:03
Show last authors
1 {{aagon.priorisierung}}
2 160
3 {{/aagon.priorisierung}}
4
5 {{aagon.floatingbox/}}
6
7 Microsoft Intune is a cloud-based solution that helps you manage your mobile devices. It allows you to remotely manage devices, secure access or even lock them down. With the ACMP Intune Connector, you can inventory the devices from Intune in ACMP and send the most important actions to the devices from ACMP.
8
9 = **Requirements for using the ACMP Intune Connector** =
10
11 To use the ACMP Intune Connector, the following requirements must be met:
12
13 * You need a user account with the appropriate permissions for Microsoft Azure Active Directory
14 * There must be a connection between AESB and ACMP. AESB must be available for this and the necessary details of the [[SICS connection>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]] must be stored in ACMP
15 * AESB must be at least version 1.8
16 * You need a working internet connection, as Intune is a cloud solution and requires a network connection to work.
17 * A running instance of Intune
18
19 = Preparations in Azure Active Directory =
20
21 To enable the ACMP Intune Connector to access the Intune API, you must first register an enterprise application in Azure Active Directory and grant the required permissions within those applications.
22
23 == Register the Enterprise Application ==
24
25 First, sign in to the [[Azure AD (Active Directory)>>https://aad.portal.azure.com/]] and navigate to Azure Active Directory in the Overview. Click the //Manage// > //Application// //Registrations// tab and create a new application registration.
26
27 {{figure}}
28 [[image:65_Intune_App-Registrierung in der Azure AD.png||data-xwiki-image-style-alignment="center"]]
29
30 {{figureCaption}}
31 App registrations in the Azure AD
32 {{/figureCaption}}
33 {{/figure}}
34
35 Enter all the necessary information: Enter a name for the application and select the accounts to support. Finish the process by clicking //Register//.
36
37 {{figure}}
38 [[image:65_Intune_Anwendung registrieren.png||data-xwiki-image-style-alignment="center"]]
39
40 {{figureCaption}}
41 Register application
42 {{/figureCaption}}
43 {{/figure}}
44
45 If you now open the created application, you will see a summary of the information added. This includes the display name, the various IDs (application, object and directory ID) and details of the account types supported.
46
47 {{figure}}
48 [[image:65_Intune_Zusammenfassung der Anwendungsinformationen.png||alt="65_Intune_Anwendung registrieren.png" data-xwiki-image-style-alignment="center"]]
49
50 {{figureCaption}}
51 Summary of the application information
52 {{/figureCaption}}
53 {{/figure}}
54
55 == Distribute permissions ==
56
57 The next step is to assign the necessary permissions to the business application to access the Graph API. To do this, go to the Permissions section within the registered application (//Manage// > //API// //Permissions//).
58
59 {{figure}}
60 [[image:65_Intune_API Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
61
62 {{figureCaption}}
63 API permissions
64 {{/figureCaption}}
65 {{/figure}}
66
67 There, click //Add Permission//. This will bring up a page where you can request the API permissions. In this step you need to select the //Microsoft Graph//.
68
69 {{figure}}
70 [[image:65_Intune_Microsoft Graph anfordern.png||data-xwiki-image-style-alignment="center"]]
71
72 {{figureCaption}}
73 API permissions: Request Microsoft Graph
74 {{/figureCaption}}
75 {{/figure}}
76
77 A distinction is made between "Delegated Permissions" and "Application Permissions". Enter the following values individually under 'Delegated permissions' and repeat the process by entering each of the following list entries:
78
79 * DeviceManagementManagedDevices.Read.All
80 * DeviceManagementManagedDevices.ReadWrite.All
81 * User.Read
82
83 {{figure}}
84 [[image:65_Intune_Delegierte Berechtigungen verteilen.png||data-xwiki-image-style-alignment="center"]]
85
86 {{figureCaption}}
87 Distribute delegated permissions
88 {{/figureCaption}}
89 {{/figure}}
90
91 Tick the appropriate items, scroll back to the top, click the //Application Permissions// field and add the following permissions:
92
93 * DeviceManagementApps.Read.All
94 * DeviceManagementConfiguration.Read.All
95 * DeviceManagementManagedDevices.PrivilegedOperations.All
96 * DeviceManagementManagedDevices.Read.All
97 * DeviceManagementManagedDevices.ReadWrite.All
98 * DeviceManagementServiceConfig.Read.All
99 * User.Read.All
100
101 When you have selected all the permissions, click //Add Permissions//. You will see the entries in the overview.
102
103 {{figure}}
104 [[image:65_Intune_Verteilte Berechtigungen (ohne Einwilligung).png||data-xwiki-image-style-alignment="center"]]
105
106 {{figureCaption}}
107 Deployed permissions (without consent)
108 {{/figureCaption}}
109 {{/figure}}
110
111 If you have not already done so, you may need to give your consent to the permissions. To do this, click on the //Grant administrator// //consent for// //"%Your Company%//" field. This will change the status and the user permission will be granted.
112
113 {{figure}}
114 [[image:65_Intune_Bewilligte Berechtigungen.png||data-xwiki-image-style-alignment="center"]]
115
116 {{figureCaption}}
117 Authorised permissions
118 {{/figureCaption}}
119 {{/figure}}
120
121 == Upload client secret key or certificates ==
122
123 Later, during the initial setup of the ACMP Intune Connector, you have to specify an authentication type in the AESB console. You can choose from two methods supported by the Microsoft Client Credentials Provider: //Certificate// or //Client Secret Key//.
124
125 {{aagon.infobox}}
126 The procedure differs depending on the authentication type selected. Read below to find out what you need to consider for each method.
127 {{/aagon.infobox}}
128
129 === Upload certificate ===
130
131 {{aagon.infobox}}
132 Due to the higher level of security, Microsoft recommends that you use a certificate as your credential.
133 {{/aagon.infobox}}
134
135 Certificates can be used as an authentication method to log in to Azure Active Directory in the AESB console. A certificate always consists of a public and private part, where the public key is loaded directly into Azure AD. The private part is used in the AESB console. This certificate pair needs to be generated beforehand. Read how to generate a certificate via [[Microsoft>>url:https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal]] or[[ Open SSL>>url:https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key]].
136
137 Navigate to //Certificates & Secrets// in the previously registered application. In the details, click on the //Certificates// tab and upload the previously created certificate.
138
139 {{figure}}
140 [[image:65_Intune_Zertifikat hochladen.png||data-xwiki-image-style-alignment="center"]]
141
142 {{figureCaption}}
143 Upload certificate
144 {{/figureCaption}}
145 {{/figure}}
146
147 A field will open on the right hand side where you can upload the certificate. Browse to the appropriate directory, upload the file and enter an optional description for the certificate. Then click Add and the certificate will be saved for the application.
148
149 {{aagon.infobox}}
150 Please note that only .cer, .pem and .crt file types are supported when uploading a certificate.
151 {{/aagon.infobox}}
152
153 {{figure}}
154 [[image:65_Intune_Hochgeladenes Zertifikat in der Azure Active Directory.png||data-xwiki-image-style-alignment="center"]]
155
156 {{figureCaption}}
157 Uploaded certificate in the Azure Active Directory
158 {{/figureCaption}}
159 {{/figure}}
160
161 === Adding a secret client key ===
162
163 The secret client key is a string of characters used by the enterprise application as an authentication key or proof of identity when requesting the token. To do this, go to the Permissions area within the registered application (//Security// > //Permissions//) and click the Application Registration link. Navigate to //Certificates// & //Secrets//. In the details, click the //Secret Client Keys// tab and create a new key.
164
165 {{figure}}
166 [[image:65_Intune_Neuen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
167
168 {{figureCaption}}
169 Store new client key
170 {{/figureCaption}}
171 {{/figure}}
172
173 When creating a new secret client key, you can configure the validity period. Note that once the validity period has expired, a new key must be created and stored in the AESB.
174
175 {{figure}}
176 [[image:65_Intune_Geheimen Clientschlüssel hinterlegen.png||data-xwiki-image-style-alignment="center"]]
177
178 {{figureCaption}}
179 Adding a secret client key
180 {{/figureCaption}}
181 {{/figure}}
182
183 {{aagon.infobox}}
184 You will need the secret client key you created when you set up the AESB. Keep this in mind for future reference.
185 {{/aagon.infobox}}
186
187 = Configuration in AESB and ACMP =
188
189 Before you can use Intune in ACMP, you need to do some preliminary work in the ACMP and AESB consoles.
190
191 == 1. **ACMP console: Check SICS connection in ACMP** ==
192
193 It is necessary that you have a working SICS connection in ACMP. To do this, go to //System// > //Settings// > //ACMP Server// > //SICS Connection//. First tick the box to enable the connection. Then enter the host and port, as well as the user name and password for the operator. You specified the corresponding operator during the installation of the AESB, which you must also specify here. Specify whether to attempt an unencrypted connection if SSL/TLS fails. Then test the connection.
194
195 Also tick the Public API access rights box to grant access. You can now save your settings. ACMP and SICS are now connected to each other.
196
197 {{figure}}
198 [[image:65_Intune_SICS-Verbindung_575.png||alt="65_ACMP_Einstellungen_SICS Verbindung.png" data-xwiki-image-style-alignment="center"]]
199
200 {{figureCaption}}
201 Set up SICS connection in ACMP
202 {{/figureCaption}}
203 {{/figure}}
204
205 == 2. AESB console: **Install and configure the Intune Connector** ==
206
207 Now go to the AESB console. From the Dashboard, navigate to the //Products// menu item. In the overview you will find a list of all packages available for installation or updates. Select //ACMP Intune Adapter// and click //Install// either in the quick selection bar or directly in the fields. A new window will open and the installation will begin.
208
209 {{figure}}
210 [[image:65_AESB_Übersicht des ACMP Intune Adapters in der AESB Console.png||data-xwiki-image-style-alignment="center"]]
211
212 {{figureCaption}}
213 Overview of the ACMP Intune Adapter in the AESB Console
214 {{/figureCaption}}
215 {{/figure}}
216
217 The first step tells you what you need to have already done to successfully install the Intune Adapter: You need a configured and working Microsoft Intune instance and a working ACMP SICS connection. In the second step of the installation wizard, you have the option to assign a template name at the top of the pages.
218
219 Under //Intune Connector Configuration//, you can set basic settings for the Intune Connector. Under ACMP Server ID, you need to specify the server to which the changes will be sent. If you enter an asterisk, the changes will be sent to all ACMP servers that have a SICS connection and whose connection information is identical to the information you entered in step //[[1. ACMP console: Check SICS connection in ACMP>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]]//. You can also specify the name of the workflow instance under which the settings are to be sent. You can do this under //Ondemand definition name//.
220
221 In the //Intune Configuration// menu item, you can now use one of the two login methods: the secret client key or a certificate.
222
223 === Option 1: Certificate authentication method: ===
224
225 {{aagon.infobox}}
226 Microsoft recommends the certificate authentication method.
227 {{/aagon.infobox}}
228
229 Configuring Intune with a certificate is very similar to the //secret client key// authentication method. You only need to upload the certificate and enter its password.
230
231 Select //Certificate// as the authentication type. Enter the certificate to be used in the Certificate field. Only .pfx files can be uploaded. Then enter the certificate password, if available. Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (it runs under the tenant) in the fields provided. Both strings can be found in the general information of the previously registered business application on the Azure AD pages.
232
233 {{figure}}
234 [[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png||data-xwiki-image-style-alignment="center"]]
235
236 {{figureCaption}}
237 Enter the application and directory ID
238 {{/figureCaption}}
239 {{/figure}}
240
241 {{figure}}
242 [[image:65_AESB_Hochladen des Zertifikats.png||data-xwiki-image-style-alignment="center"]]
243
244 {{figureCaption}}
245 Uploading the certificate
246 {{/figureCaption}}
247 {{/figure}}
248
249 === Option 2: **Secret client key authentication method:** ===
250
251 Select //secret client key// as the authentication type. Under //secret client key//, enter the value that you generated as the secret key on the [[Azure Active Directory pages>>doc:||anchor="HUploadclientsecretkeyorcertificates"]].
252
253 {{aagon.infobox}}
254 Please note that the value is displayed in abbreviated form. This means that it will have a different character length when entered in the AESB console.
255 {{/aagon.infobox}}
256
257 {{figure}}
258 [[image:65_Eingabe des geheimen Clientschlüssels.png||data-xwiki-image-style-alignment="center" height="234" width="1000"]]
259
260 {{figureCaption}}
261 Enter the secret client key
262 {{/figureCaption}}
263 {{/figure}}
264
265 Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (under which the Tenant runs) in the fields provided. Both strings can be found in the general information of the previously registered Enterprise Application (Azure AD).
266
267 {{figure}}
268 [[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png||data-xwiki-image-style-alignment="center"]]
269
270 {{figureCaption}}
271 Enter the application and directory ID
272 {{/figureCaption}}
273 {{/figure}}
274
275 {{figure}}
276 [[image:65_AESB_Eingabe der Informationen zum geheimen Clientschlüssel.png||data-xwiki-image-style-alignment="center"]]
277
278 {{figureCaption}}
279 Enter the info for the secret client key
280 {{/figureCaption}}
281 {{/figure}}
282
283 Click //Verify Connection//. If the connection is successful, you will be taken to the //scanner configuration//, where you can optionally set time intervals for the scanner. If you do not want to make any changes, click //Next//.
284
285 The Intune adapter installation will begin in the background. When the installation is complete and all items have been successfully installed, you can click //Finish//. You will be returned to the AESB Console Overview page. There are several places in the AESB Console where you can check that the installation was successful and that all the required applications are available:
286
287 |**Navigation point**|**Description**
288 |Microservices|Below the Supervisors & microservice instances, you will see the entries //IntuneConnector_1 //and //IntuneWorkflowEngine_1//.
289 |Workflows|Within the Workflow engines & instances section, the entries //IntuneWorkflowEngine_1 //and //IntuneMobileDevices_1 //must be listed.
290
291 {{aagon.infobox}}
292 You can also install the Intune Connector more than once. This allows you to use both the secret client key and the certificate as the authentication type. A dual installation is useful, for example, if you are using multiple ACMP servers and want the data to flow to them. Multiple installations will increment the microservices and workflow entries. In this case, you would have, for example, //IntuneWorkflowEngine_1//,// IntuneWorkflowEngine_2, and IntuneMobileDevices_1 and IntuneMobileDevices_2//.
293 {{/aagon.infobox}}
294
295 = How to use Intune in ACMP =
296
297 Once you have set up the ACMP Intune Connector, devices are imported from Intune into ACMP. You can use this data in queries and reports, for example. You can also send some actions to the devices through ACMP.
298
299 == Query Actions ==
300
301 Navigate to //Client Management// > //Query Management//. Open a query that contains the required Clients.
302
303 In the query result set you will see the inventoried Client types (e.g. Clients of type Android, iOS or Windows). Select the Clients on which you want to perform an Intune action.
304
305 {{figure}}
306 [[image:65_Abfrageaktionen_Intune relevante Abfrageaktionen.png||data-xwiki-image-style-alignment="center"]]
307
308 {{figureCaption}}
309 Intune-relevant Query Actions
310 {{/figureCaption}}
311 {{/figure}}
312
313 You can choose between the following actions:
314
315 {{aagon.infobox}}
316 Note that any subsequent actions (sending notifications,retire devices, etc.) that you want to send or perform on the endpoint via Intune may be delayed. The status of the job will be shown as //Finished// in the Job Monitor as the action has been executed by ACMP and successfully passed to Intune.
317 {{/aagon.infobox}}
318
319 |**Query Actions**|(% style="width:1141px" %)**Description**
320 |Send Intune notification|(% style="width:1141px" %)You can use this action to send Intune notifications to the [[Company Portal app>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]] on the selected devices. The messages may also appear on lock screens or in the Android apps. Make sure you only share information that is not too sensitive if you want to send notifications about it.
321 \\Enter both a title and body text, then click //Execution//.
322 |Retire Intune devices|(% style="width:1141px" %)This action deletes the Intune-specific settings on the selected devices. It also removes the //Company Portal app// and deletes the selected devices from Intune Management.
323 |Wipe Intune devices|(% style="width:1141px" %)If you want to reset an Intune device to its factory settings, choose this action. This will also delete the device from Intune Management. You must select the checkbox for this step and confirm the confirmation prompt before you can perform the action.
324 |Remotely lock Intune devices|(% style="width:1141px" %)If you want to lock Intune devices remotely, you can do so from the Action. This requires the user to correctly enter their chosen security mechanism (PIN, password, facial recognition, etc.) on the endpoint to unlock the device.
325 |Synchronize Intune devices|(% style="width:1141px" %)This action causes selected Intune devices to send their inventory data to Intune. This allows you to keep devices up to date with the latest information.
326
327 == Client Details ==
328
329 If you want to view information about an Intune device, you can get all the relevant data from the Client Details. To do this, navigate to the required client in a query and double-click to open the details.
330
331 Under the //Mobile Device Management// > //Mobile Device// menu, you can find all the information about the stored mobile device. If you want to perform an Intune related action on the selected Client, you can use the options in the [[quick selection bar>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]].
332
333 {{aagon.infobox}}
334 There are fields for all the information stored here, which you can use in queries, filters and reports, for example.
335 {{/aagon.infobox}}
336
337 {{figure}}
338 [[image:65_Abfrageaktion_Ansicht der Intune Client Details.png||data-xwiki-image-style-alignment="center"]]
339
340 {{figureCaption}}
341 View of the Intune Client details
342 {{/figureCaption}}
343 {{/figure}}
© Aagon GmbH 2025
Besuchen Sie unsere neue Aagon-Community